Upload
oliver-bramel
View
226
Download
2
Embed Size (px)
Citation preview
Information Security Awareness Briefing
5 November 2013
Why are you here today?
Slide 2
University’s Information Security Policy and new UAS Information Security Policy
Your Head of Department is responsible for information security within your department or section
Part of this is to ensure all your staff are made aware of their individual responsibilities for information security
The new online Information Security Awareness module - mandatory for UAS staff - will help you with this
Agenda (14:30 - 15:30)
Slide 3
Risk Management - University and national perspective
Information Security - Departmental obligations
Information Security Awareness Programme
Online awareness module for staff
Questions
Slide 4
Information Security Toolkit www.it.ox.ac.uk/infosec/istoolkit/
Lunchtime courses www.it.ox.ac.uk/infosec/protectyourself/courses/
Q&As (about Online Awareness Module) www.it.ox.ac.uk/infosec/awareness/
Online Awareness Module www.it.ox.ac.uk/infosec/module/
Contact InfoSec team
Information Security website www.it.ox.ac.uk/infosec/
Slide 5
Risk Management University and national perspective
University Strategic Risk Register (Nov12 - Health Warning)
Slide 6
Risk: • Failure to ensure security of people,
property, and informationConsequences:
• Damage to operations, financial lossMeasures:
• Strategic assessment of threat. • Appropriate security arrangements
Action: • Review of …oversight arrangements
Risk threat (IT Services Strategic Risk Register)
Slide 7
If IT Services does not ensure that its information assets are
managed correctly and securely
- then -
there is a possibility of information loss and corruption
- resulting in a risk of -
damage to reputation and the possibility of criminal or civil
proceedings
UUK Cyber Security Policy Briefing, Jul 12
Slide 8
“Given the importance of universities to the UK economy and to economic prosperity in general, it is essential to increase the level of awareness of, and resilience to, cyber threat in the sector.”
“Cyber security can all too often be thought of as an IT issue, rather than a strategic risk management issue.”
The cyber threats facing universities today will not be solved through investment in technology alone, but through concerted risk assessment which results in: universities identifying which critical information assets need to be prioritised for protection; and the establishment of a cyber risk oversight structure at senior level.”
Real life stories (1)
Slide 9
A laptop stolen from office
A research project was (temporarily) closed down because laptop wasn’t encrypted having severe operational and financial implications
CPN
I w
ww
.cp
ni.g
ov.
uk/
Secu
rity
-Pla
nnin
g/S
taff
-tra
inin
g-a
nd-c
om
mun
icati
ons/
post
ers
/
Real life stories (2)
Slide 10
Encrypted laptops stolen from lab
HEIS
C o
n F
ace
book
ww
w.f
ace
book.c
om
/Vid
eoPo
sterC
onte
st
Real life stories (3)
Slide 11
Social media hacked!
Over-sharing on social media
Real life stories (4)
Slide 12
Phishing attacks
Users who weren’t aware of their responsibilities for maintaining access to data were adversely affected when the University temporarily blocked Google Docs.
HEIS
C o
n F
ace
book
ww
w.f
ace
book.c
om
/Vid
eoPo
sterC
onte
st
Real life stories (5)
Slide 13
Phishing attacks
Cryptolocker ransomware, malware that effectively destroys documents by encrypting them and demanding a ransom to unencrypt them.
CPN
I w
ww
.cp
ni.g
ov.
uk/
Secu
rity
-Pla
nnin
g/S
taff
-tra
inin
g-a
nd-c
om
mun
icati
ons/
post
ers
/
Real life stories (6)
Slide 14
Shared computing room
Keystroke-logging incident
Imag
es:
JIS
C h
ttp:/
/ww
w.fl
ickr
.com
/photo
s/jis
cim
ag
es/
43
50
85
11
2
and
htt
ps:
//en.w
ikip
ed
ia.o
rg/w
iki/Fi
le:K
eylo
gg
er-
hard
ware
-PS2
-exam
ple
-connect
ed.jpg
Slide 15
Information SecurityYour obligations
Incident Register
Your obligations
Slide 17
Policies: University’s
Information Security Policy
UAS Information Security Policy
Departmental obligations include: an Information Security policy owned by head of section
train staff
Help is available from the Information Security team!
Slide 18
Information Security (IS)Awareness Programme
Information Security (IS) Awareness Programme
Slide 19
‘The cyber threats facing universities today will not be solved through investment in technology alone’ (Universities UK)
Creating right culture and providing training is most important activity
The Information Security Team is therefore working on an Awareness Programme
Information Security (IS) Awareness Programme
Slide 20
YOU ARE THE TARGET!7 Nov, 11 Dec and next term
www.it.ox.ac.uk/infosec/
Slide 21
Online Information Security Awareness Module
Online Information Awareness Module
Slide 22
Mandatory for each member of UAS to take part in by 15 March 2014
Designed in collaboration with five Universities and customised by InfoSec team (including testing)
Highlights important considerations and information security risk
Offers a mixture of information, supporting resources and case studies
Takes approximately 45 minutes to complete and can be done in several ‘sittings’
Login via Single-Sign-On required
Online Information Awareness Module
Slide 23
ww
w.it.
ox.a
c.uk/
info
sec/
module
/
Online Information Awareness Module
Slide 24
Sections, and how long it will take to complete
ww
w.it.
ox.a
c.uk/
info
sec/
module
/
ww
w.it.
ox.a
c.uk/
info
sec/
module
/
Online Information Awareness Module
Slide 25
How UAS staff will be informed
Slide 26
On <date> each member of UAS will receive an email invitation to take the online information security awareness module
Awareness posters will be spread across your offices
Email reminders will be circulated
Most importantly: we need your help to ensure that each member of your department completes the online awareness module!
Your questions answered
Slide 27
All UAS staff MUST take the IS Awareness Module What if anyone refuses? All temporary staff MUST do this? All consulting / intern staff MUST do this? All new staff MUST do this? Will this module be registered against their contract of employment?
UAS staff SHOULD attend IS courses in IT Services UAS staff SHOULD attend the course "You Are The Target!" Will IT Services repeat this course if it is oversubscribed?
Information Security is an issue for the whole University Why is the University raising awareness about Information Security? Who cares who has completed the module? How can IT Services check that someone has completed this? Who is going to follow up this activity, next academic year? Who will keep the module up-to-date? What about the module outside of UAS?
Slide 28
Information Security Toolkit www.it.ox.ac.uk/infosec/istoolkit/
Lunchtime courses www.it.ox.ac.uk/infosec/protectyourself/courses/
Q&As (about Online Awareness Module) www.it.ox.ac.uk/infosec/awareness/
Online Awareness Module www.it.ox.ac.uk/infosec/module/
Contact InfoSec team
Information Security website www.it.ox.ac.uk/infosec/